Skip links

Regulator says stranger entered hospital, treated a patient, took a document … then vanished

NHS Fife is on the wrong end of a stern ticking off by Britain’s data regulator after it made a howling privacy error that aided an as yet unknown person who had entered a hospital ward only to walk off with data on 14 patients.

The “reprimand” [PDF] by the Information Commissioner’s Office is related to an alleged breach that took place at the one of the sites that NHS Fife is responsible for.

Due to a “lack of checks and formal processes” the unauthorized individual who was not employed by the health service was “handed” a document containing the personal data of 14 patients, and even helped administer care to one, the ICO investigation found.

The non-staff member subsequently walked off-site with the document and has yet to be found. Despite the hospital operating closed circuit television cameras, the wall socket powering the system had been turned off by a member of staff, so police are unable to name the person or find the missing document.

The ICO told NHS Fife that its security measures were insufficient for personal data retention and low staff training rates hadn’t helped. The ICO says NHS Fife broke Article 5 of the UK GDPR.

A newly installed system for documents and updated identification processes are among the fixes. As such, the regulator reckons that under the circumstances and given the remedial action already taken, a reprimand of the territorial health board was the best course of action.

Natasha Longson, ICO head of investigations at the ICO, said:

“Patient data is highly sensitive information that must be handled with the appropriate security. When accessing healthcare and other vital services, people need to trust that their data is secure and only available to authorised individuals.

“Every healthcare organisation should look at this case as a lesson learned and consider their own policies when it comes to security checks and authorised access. We are pleased to see that NHS Fife has introduced new measures to prevent similar incidents from occurring in the future.”

The ICO has dished out reprimands to numerous public sector bodies in recent years, including to NHS Lanarkshire when staff were swapping photos and patients’ personal info via WhatsApp, or Surrey Police and Sussex Police for using a calling app to record phone conversations as well as to illegally retain that data.

Rather than fining public sector institutions for incompetence or a lack of training, the ICO offers advisory services to prevent repeat instances. ®